New ransomware strikes, Petya is here

Yesterday (June 27) another ransomware attack erupted worldwide. The attack is concentrated in Ukraine, including national corporations, the airport of Kijev, the Ukrainian Central Bank and since more countries confirmed the spread of the virus. The electric paying system in the subway in Kijev is also stopped working and a few gas station is also not serving customers.

The attack is not yet analyzed, the malware used is most likely a variant of Petya or PetrWrap (newer version). This ransomware is not encrypting the files individually, but the MBR (Master Boot Record) records of the hard drive so the hard drive completely.

It is showing similar scope and intensity as WannaCry and probably spreading using the same leaked NSA EternalBlue exploit. Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky said infections were traced to a “new ransomware we haven’t seen before.”

It seems to be capable of infecting any devices it can connect with, which makes it fast to spread. And it is enough to find one unprotected device in the system, from what it can spread in the network using admin permissions. The propagation method appears to be via the Remote Desktop Protocol (RDP) and/or Server Message Block (SMB) protocols.

Signs of Infection

The ransomware might display the following message on the infected PC:

Repairing file system on C:

The type of the file system is NTFS. One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

CHKDSK is repairing sector xxxxx of xxxxxxxx (x%)

After the encryption the systems might prompt the user to reboot. After the reboot the ransom screen is displayed.

Still more and more reporting the spread of the virus. The ransomware is asking for $300 worth of bitcoins to return the data to the victims. It is advised not to pay the ransom, because it encourages more attacks like these. Make sure to have a good and separated backup of your data to prevent these kind of attacks hurting you.